[36748] in Kerberos
Renaming principals causes them to disappear
daemon@ATHENA.MIT.EDU (Rasmus Borup Hansen)
Tue Feb 3 08:13:12 2015
From: Rasmus Borup Hansen <rbh@intomics.com>
Message-Id: <2E6B45BE-5E9A-40E4-8144-B103C4E4C3A5@intomics.com>
Date: Tue, 3 Feb 2015 14:09:35 +0100
To: kerberos@mit.edu
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I'm trying to find all the steps necessary for successfully changing a username on our system, and it appears that when I try to rename the corresponding principal using kadmin, the principal just disappears (see the transcript below).
I'm using 1.12 as distributed with Ubuntu 14.04.1 LTS (Trusty), all updates installed. The KDC stores its data in an openldap directory.
I can provide more details about the setup if needed. For now I'd like to know if I'm missing anything obvious, and if other people can reproduce the behaviour I see – that should be easy to check.
Best,
Rasmus
Transcript:
Add the principal:
kadmin.local: add_principal rbhtest3
WARNING: no policy specified for rbhtest3@INTOMICS.COM; defaulting to no policy
Enter password for principal "rbhtest3@INTOMICS.COM":
Re-enter password for principal "rbhtest3@INTOMICS.COM":
Principal "rbhtest3@INTOMICS.COM" created.
Find out what the new principal looks like:
kadmin.local: get_principal rbhtest3
Principal: rbhtest3@INTOMICS.COM
Expiration date: [never]
Last password change: Tue Feb 03 13:32:43 CET 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 03 13:32:43 CET 2015 (rbh/admin@INTOMICS.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-md5, Version 5 - No Realm
Key: vno 1, des-cbc-md5, Version 5 - Realm Only
Key: vno 1, des-cbc-md5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Do a kinit rbhtest3 somewhere and then check that "Last successful authentication" is updated:
kadmin.local: get_principal rbhtest3
Principal: rbhtest3@INTOMICS.COM
Expiration date: [never]
Last password change: Tue Feb 03 13:32:43 CET 2015
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Feb 03 13:32:43 CET 2015 (rbh/admin@INTOMICS.COM)
Last successful authentication: Tue Feb 03 13:33:00 CET 2015
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-md5, no salt
Key: vno 1, des-cbc-md5, Version 5 - No Realm
Key: vno 1, des-cbc-md5, Version 5 - Realm Only
Key: vno 1, des-cbc-md5, AFS version 3
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
Try to rename the principal:
kadmin.local: rename_principal rbhtest3 rbhtest4
Are you sure you want to rename the principal "rbhtest3@INTOMICS.COM" to "rbhtest4@INTOMICS.COM"? (yes/no): yes
Principal "rbhtest3@INTOMICS.COM" renamed to "rbhtest4@INTOMICS.COM".
Make sure that you have removed the old principal from all ACLs before reusing.
Check that the principal cannot be found by its old name:
kadmin.local: get_principal rbhtest3
get_principal: Principal does not exist while retrieving "rbhtest3@INTOMICS.COM".
Try to find the principal by its new name:
kadmin.local: get_principal rbhtest4
get_principal: Principal does not exist while retrieving "rbhtest4@INTOMICS.COM".
Intomics is a contract research organization specialized in deriving core biological insight from large scale data. We help our clients in the pharmaceutical industry develop tomorrow's medicines better, faster, and cheaper through optimized use of biomedical data.
-----------------------------------------------------------------
Hansen, Rasmus Borup Intomics - from data to biology
System Administrator Diplomvej 377
Scientific Programmer DK-2800 Kgs. Lyngby
Denmark
E: rbh@intomics.com W: http://www.intomics.com/
P: +45 5167 7972 P: +45 8880 7979
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
